Security Researchers Find Flaw in iMessage Encryption

Security researchers from Johns Hopkins University have discovered a flaw in Apple's iMessage encryption that allows a skilled attacker to decrypt photos and videos, reports the Washington Post.

Computer Science Professor Matthew D. Green suspected there might be flaw after reading an Apple security guide that described the encryption process. He alerted Apple about the issue and after several months with no fix he and his graduate students decided to prove they could break the encryption.

To intercept a file they wrote software that mimicked an Apple server and targeted a transmission that contained a link to the photo stored in iCloud and a 64-digit key to decrypt the photo. While they couldn't see the key's digits, they were able to guess them. Each time they guessed a digit correctly the phone accepted it. After thousands of attempts they were able to get the key.

Apple and the FBI are in a fierce battle over building a backdoor into the iPhone. Green believes that it makes no sense to weaken the security of the iPhone, especially when it may already be vulnerable to certain attacks.

“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said Green. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

Apple says it partially fixed this problem with the release of iOS 9 and it will be fully addressed with the release of iOS 9.3.

“Apple works hard to make our software more secure with every release,” the company said in a statement. “We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. . . . Security requires constant dedication and we’re grateful to have a community of developers and researchers who help us stay ahead.”